Generate iOS signing certificate and provisioning profile

Learn how to generate the signing certificate and mobile provisioning profile files used for signing your iOS app.

  • A signing certificate (.p12 file) is a digital identity used for code signing during the build and archive process.

  • A provisioning profile (.mobileprovision file) authorizes your app to use certain app services and ensures that you’re a known developer developing, uploading, or distributing your app.

For more information, see Apple’s What is app signing?.

You can use any macOS machine, including the Mac mini host, to generate signing certificates and provisioning profiles. If you have multiple Mac mini hosts, it is recommended to generate all the certificates and provisioning profiles for them on only 1 or 2 machines for better management.

Before you start

Only Apple Development or iOS App Development certificate can be used. Apple Distribution or iOS Distribution certificate cannot be used.

Generate a signing certificate

Create a certificate signing request

On any macOS machine, launch Keychain Access.

From the Keychain Access menu, choose Certificate Assistant, then select Request a Certificate From a Certificate Authority.

launch <strong>Keychain Access</strong>

Input the Email Address and Common Name, but leave CA Email Address blank. Then choose Saved to disk and select Continue.

Enter your email and name, but leave <strong>CA Email Address</strong> blank. Then choose <strong>Save to disk</strong> and select <strong>Continue</strong>

Select Save to download your .certSigningRequest file. You can rename the signing request.

Select <strong>Save</strong> to download your <code>.certSigningRequest</code> file.

When the signing request is created, the system creates a public and private key (the key pair) under the login keychain. The name of the key pair is the same as the value you provided under Common Name when creating the signing request. This key pair can be viewed from the Keys tab of the Login keychain:

The public and private key pair under the Keys tab in the login keychain

The generated key pair must not be removed from the keychain, as the signing request (and the subsequent signing certificate) cannot be used without the key pair.

Submit the signing request to generate a .cer file

These steps should be done using the same machine that you created the signing request on.

Log into Apple Developer. Under Certificate, IDs & Profiles, select Certificates.

The Certificates option under Certificate, Identifiers and Profiles

Select the plus icon to create a new certificate.

The plus icon to create a new certificate

Choose Apple Development or iOS App Development, then select Continue.

Choose <strong>Apple Development</strong>, then select <strong>Continue</strong>

Select Choose File, choose the .certSigningRequest file you generated, then select Continue.

Select <strong>Choose File</strong>, choose the <code>.certSigningRequest</code> file, then select <strong>Continue</strong>

Select Download to save the development.cer file to the local machine.

Select <strong>Download</strong> to download your <code>.cert</code> file

Generate .p12 file

These steps must be done on the same machine you created the certificate signing request on.

On the macOS device, launch Keychain Access.

Select the login keychain, select Certificates, then drag and drop the development.cer file into the Certificates page.

Make sure the login keychain is highlighted before you drag and drop the file into Certificates. If another keychain is highlighted instead, such as System, you cannot export the .p12 file.

On your macOS device, launch <strong>Keychain Access</strong>

Confirm that after dropping the .cer file into the login keychain, you can expand the cert to view the private key associated with it:

The expanded certificate with the private key vivisble after being imported into the login keychain

If you cannot expand the imported certificate to view the private key, double-check that all the below has been followed:

The expanded certificate without the private key after being imported into the login keychain

Select both the recently imported certificate and its private key, then select Export 2 items.

Right-click your <code>.cert</code> file, then select Export 2 items

Choose the Personal Information Exchange (.p12) file format, then select Save.

Choose the <strong>Personal Information Exchange (.p12)</strong> file format, then select <strong>Save</strong>

Enter a password to protect the certificate and select OK. Note down the password as you need to enter it when importing the file to another machine. If you don’t want to enter a password, leave the field blank.

Not entering a password for the .p12 file will require the use of Terminal commands to import it to the keychain of another machine. If you are not familiar with the Terminal, it is recommended to enter a password.

Enter a password to protect the certificate, or leave the fields blank and select <strong>OK</strong>

Input the macOS administrator password to export the .p12 certificate file. Store this file in a safe location.

Move the file to the Mac mini host(s) to import it later.

Generate a provisioning profile

If you have created a provisioning profile that followed the steps in this section, it is not necessary to create a new one for a new signing certificate or adding new UDIDs. Edit a provisioning profile instead.

Create an identifier

Skip this step if you have created an identifier before.

At the Apple Developer resources page, select Identifiers. Select the plus icon to create a new identifier.

The plus icon to create a new identifier

Choose App IDs, then select Continue.

A closeup to Select App ID

Select App as type, then Continue.

A closeup to Select type

Add a description for the app ID. For Bundle ID, choose Wildcard. Input the appropriate Bundle ID into the box according to the use cases below:

  • If you do not use Kobiton re-signing service, input com.mobilelabsinc.*.

  • If you use Kobiton re-signing service and want to install any app, input com.*.

If you are unsure, input com.* as it will work in most cases.

A closeup to choose Wildcard option

When you’re finished, select Continue.

Review the information, then select Register to create the identifier.

A closeup to confirm app ID

Register device UDID

Skip this step if you have registered the UDID before.

Note down the UDID of all iOS/iPadOS devices you want to host.

At the Apple Developer resources page, select Devices. Choose the plus icon to register new devices.

The plus icon to register new device

Choose iOS, iPadOS, tvOS, watchOS, visionOS for Platform, then enter the device name and UDID to add a single device.

Alternatively, select Download sample files and follow the official instructions to register multiple devices, then upload the file by selecting Choose File.

Select Continue when you are finished.

The register new device screen with options to add single or multiple devices

Review the information and select Register.

The register new device review information screen with the Register button

Generate .mobileprovision file

At the Apple Developer resources page, select Profiles. Choose the plus icon to create a new profile.

Plus icon to create a new Profile

Select iOS App Development under Development, then Continue.

The iOS App Development option under Development

Choose the app ID you created earlier from the dropdown list, then Continue.

The app ID selection dropdown when generating a profile

Choose the certificate you created earlier, then Continue.

The certificate selection dropdown when generating a profile

Choose the devices you registered earlier, then Continue.

The device selection dropdown when generating a profile

Input the Provisioning Profile Name, review the information, then select Generate.

The review profile information screen with the Generate button

Select Download to save the .mobileprovision file. Move the file to the Mac mini host(s) for importing to deviceConnect and deviceShare later.

The download profile screen with the Download button

Edit a provisioning profile

Follow this section to edit an existing provisioning profile to add new certificates or device UDIDs.

  • You can edit an expired provisioning profile. A new expiry date will be set when saving the changes.

  • After saving the changes, you must download the edited provisioning profile and import it again to the Mac mini host(s).

At the Apple Developer resources page, select Profiles. Select any profile to open it.

The Provisioning Profile list on Apple Developer

In the Review Provisioning Profile page, select Edit.

The Review Provisioning Profile page with the Edit button visible

The Generate a Provisioning Profile page displays with all the information of the selected provisioning profile:

The Generate a Provisioning Profile page with all the information of the current profile

On the above page, you can edit the following

  • Name of the profile.

  • The App ID to use.

  • The signing certificate(s) that are associated with the provisioning profile.

  • The device(s) that are provisioned with the provisioning profile.

After making all the changes, select Save. You can then Download the updated provisioning profile, then move the file to the Mac mini host(s) for importing to deviceConnect and deviceShare later.

The download profile screen with the Download button